Using Marvel with Shield

Marvel consists of two components: a Marvel agent that you install on on each node in your cluster, and a Marvel application you install in Kibana. The Marvel agent collects and indexes metrics from Elasticsearch and you visualize the data through the Marvel dashboards in Kibana. The agent can index data on the same cluster, or send it to an external monitoring cluster.

To use Marvel with Shield enabled, you need to set up Kibana to work with Shield and create at least one user for the Marvel app. If you are using an external monitoring cluster, you also need to configure a user for the Marvel agent and configure the agent to use the appropriate credentials when communicating with the monitoring cluster.

Setting Up Marvel App Users

edit

When Shield is enabled, Kibana users are prompted to log in when they access the UI. To use the Marvel app, a user must have access to the Kibana indices and permission to read from the Marvel indices.

You set up Marvel app users on the cluster where the monitoring data is being stored. To grant all of the necessary permissions, assign the user the marvel_user role and the appropriate role you derived from the kibana4 role:

If you’re using the default esusers realm, you can assign roles when you add a user, or modify the role assignments with the roles command. For example, the following command creates a user named jacknich and assigns the my_kibana_user and marvel_user roles:
```
esusers useradd jacknich -r my_kibana_user,marvel_user -p password
```
If you are using an LDAP or Active Directory realm, you can either assign roles on a per user basis, or assign roles to groups of users. By default, role mappings are configured in config/shield/role_mapping.yml. For example, the following snippet assigns the user named Jack Nicholson to the my_kibana_user and marvel_user roles:
```
my_kibana_user:
  - "cn=Jack Nicholson,dc=example,dc=com"
marvel_user:
  - "cn=Jack Nicholson,dc=example,dc=com"
```

The marvel_user and kibana4 roles are defined in the default roles.yml file. For more information about deriving Kibana user roles, see Using Kibana with Shield.

Configuring Marvel Agent to Communicate with a Shield-Enabled Monitoring Cluster

edit

To configure the Marvel agent to communicate with a secured monitoring cluster:

Configure a user on the monitoring cluster who has the remote_marvel_agent role, which is defined in roles.yml. For example:

esusers useradd agent-user -r remote_marvel_agent -p password

Remote Marvel Agent Role.

remote_marvel_agent:
  cluster: indices:admin/template/put, indices:admin/template/get
  indices:
    '.marvel-es-*':
      privileges: all

On each node in the cluster being monitored, configure a Marvel HTTP exporter in elasticsearch.yml and resart Elasticsearch. In the exporter configuration, you need to:
1. Set the type to http.
2. Specify the location of the monitoring cluster in the host setting.
3. Provide the agent user credentials with the username and password settings.
For example:
```
marvel.agent.exporters:
  id1:
    type: http
    host: ["http://es-mon1:9200", "http://es-mon2:9200"]
    auth:
      username: agent-user
      password: password
```
If SSL/TLS is enabled on the monitoring cluster:
1. Specify the HTTPS protocol when setting the monitoring server host.
2. Specify a truststore that contains the CA certificate to use to verify the identities of the nodes in the monitoring cluster. You need to set the truststore.path and truststore.password.
For example:
```
marvel.agent.exporters:
  id1:
    type: http
    host: ["https://es-mon1:9200", "https://es-mon2:9200"]

    auth:
      username: agent-user
      password: password

    ssl:
      truststore.path: /path/to/file
      truststore.password: password
  id2:
    type: local
```

« Using Logstash with Shield Using Kibana with Shield »